deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

dates

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-09-06 13:42:08 -04:00
parent 4b67f4e84f
commit cbf739390b
27 changed files with 60 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
q Normal file
View File

@ -0,0 +1,13 @@
_backup-20240611
_backup-202408
main
pm-20230820-passkeys-by
pm-20240722-passkeys-bt
pm-20240731-kiosk
pm-20240805-bitlocker-pcr
pm-20240814-certification-metadata
pm-20240820-whfb
* pm-20240906-freshness
pm-9156843-config-refresh
pm-key-protection-with-vbs
security-book-24

2
windows/security/book/application-security-application-and-driver-control.md
View File

@ -2,7 +2,7 @@
title: Application and driver control
description: Windows 11 security book - Application and driver control.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Application and driver control

2
windows/security/book/application-security-application-isolation.md
View File

@ -2,7 +2,7 @@
title: Application isolation
description: Windows 11 security book - Application isolation.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Application isolation

2
windows/security/book/application-security.md
View File

@ -2,7 +2,7 @@
title: Application security
description: Windows 11 security book - Application security chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Application security

4
windows/security/book/cloud-services-protect-your-personal-information.md
View File

@ -2,7 +2,7 @@
title: Cloud services - Protect your personal information
description: Windows 11 security book - Cloud services chapter - Protect your personal information.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Protect your personal information
@ -17,7 +17,7 @@ You can even go passwordless with your Microsoft Account by removing the passwor
- Windows Re-authentication upon updating settings for 'If you've been away, when should Windows require you to sign in again: When users seek to disable their password for unlocking when away via Windows Settings, they will be prompted to re-authenticate with their account and password.
- Windows Re-authentication upon disabling password for device restarts: When users try to enable this setting, they are re-authenticated with their account and password. Upon successful authentication, the password is disabled for future device restarts.
- Windows Re-authentication upon disabling password for device restarts: When users try to enable this setting, they are re-authenticated with their account and password. Upon successful authentication, the password is disabled for future device restarts.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**

28
windows/security/book/cloud-services-protect-your-work-information.md
View File

@ -2,7 +2,7 @@
title: Cloud services - Protect your work information
description: Windows 11 security book - Cloud services chapter - Protect your work information.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Protect your work information
@ -165,8 +165,8 @@ Once this verification is complete, the attestation service returns a signed rep
## Windows Update for Business deployment service
The service that was known as Windows Update for Business deployment service has been woven into Windows Autopatch, offering a more coherent experience while simplifying the update experience.
The new interface is a unified dashboard conveniently organized into four main sections to help you make update management more efficient:
The service that was known as Windows Update for Business deployment service has been woven into Windows Autopatch, offering a more coherent experience while simplifying the update experience.
The new interface is a unified dashboard conveniently organized into four main sections to help you make update management more efficient:
- Update policies: Control updating timing and methods.
- Update groups: Categorize your devices into tailored update rings.
@ -180,13 +180,13 @@ The new interface is a unified dashboard conveniently organized into four main s
## Windows Autopatch
Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It is essential to maintain current updates to seal security gaps, though the process of planning, tracking, and compliance reporting may divert IT resources from other critical work.
Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It is essential to maintain current updates to seal security gaps, though the process of planning, tracking, and compliance reporting may divert IT resources from other critical work.
Available as part of Windows Enterprise E3 and E5, Windows Autopatch is the cloud service that helps you protect against evolving threats and vulnerabilities with timely update deployment. Windows Autopatch streamlines security, stability and feature updates for Windows Enterprise, enhancing both security and productivity throughout your company.
Available as part of Windows Enterprise E3 and E5, Windows Autopatch is the cloud service that helps you protect against evolving threats and vulnerabilities with timely update deployment. Windows Autopatch streamlines security, stability and feature updates for Windows Enterprise, enhancing both security and productivity throughout your company.
The service is built for ease of use and gives IT administrators the option to tailor it to meet the unique needs of their business with Autopatch groups. This feature allows you to customize deployments based on needs or critical business processes without extra costs or unplanned disruptions. For example, you may decide to delay rollout of updates for the finance team to mitigate risk of disruptions at the end of a quarter.
From a technical standpoint, the service utilizes Microsoft Intune policies and your current Intune Update rings. The servicess use of your rings allows you to take advantage of Windows Autopatch reporting and device readiness without having to redeploy or modify your existing update configurations. The deployment of your Intune policies to enrolled tenants and continuously monitoring of those policies by Autopatch means that you can easily identify and resolve any conflicts.
From a technical standpoint, the service utilizes Microsoft Intune policies and your current Intune Update rings. The servicess use of your rings allows you to take advantage of Windows Autopatch reporting and device readiness without having to redeploy or modify your existing update configurations. The deployment of your Intune policies to enrolled tenants and continuously monitoring of those policies by Autopatch means that you can easily identify and resolve any conflicts.
Comprehensive reporting is available via a summary dashboard displaying quality status and trends, and a reliability report. The reliability score is derived from stop error codes observed on managed devices, enabling improved insights about potential impacts of updates on devices.
@ -202,15 +202,15 @@ Theres a lot more to learn about Windows Autopatch: this [Forrester Consultin
Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If youre purchasing new devices or managing device refresh cycles for employees, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process thats both easy and simple.
With Windows Autopilot, theres no need to reimage or manually set-up devices before giving them to your employees. Your hardware vendor can ship them, ready to go, straight to your employees. From a user perspective, they turn their device on, go online, and Windows Autopilot delivers apps and settings.
With Windows Autopilot, theres no need to reimage or manually set-up devices before giving them to your employees. Your hardware vendor can ship them, ready to go, straight to your employees. From a user perspective, they turn their device on, go online, and Windows Autopilot delivers apps and settings.
Windows Autopilot enables you to:
- Automatically join devices to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> or Active Directory via hybrid Microsoft Entra ID Join. For more information about the differences between these two join options, see [Introduction to device management in Microsoft Entra ID](/azure/active-directory/device-management-introduction).
- Auto-enroll devices into MDM services such as Microsoft Intune (requires an Microsoft Entra ID Premium subscription for configuration).
- Change the edition of Windows being used to support advanced features (e.g., upgrading to Windows 11 Enterprise).
- Change the edition of Windows being used to support advanced features (e.g., upgrading to Windows 11 Enterprise).
- Create and auto-assignment of devices to configuration groups based on a devices profile.
- Customization of the out-of-box experience (OOBE) content specific to the organization.
- Customization of the out-of-box experience (OOBE) content specific to the organization.
Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset). The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
@ -218,15 +218,15 @@ Existing devices can also be quickly prepared for a new user with [Windows Autop
- [Windows Autopilot](https://aka.ms/WindowsAutopilot)
## Windows Update Management
## Windows Update Management
Cybercriminals often target outdated or unpatched software to gain access to networks. Keeping endpoints up to date is critical in closing existing vulnerabilities, but planning, monitoring, and reporting on update compliance can take IT resources away from other important tasks. Windows Autopatch provides enterprise-level organizations with a cloud-native approach to updating the OS, an integral tool for reducing your attack surface by driving up patch compliance rates.
Cybercriminals often target outdated or unpatched software to gain access to networks. Keeping endpoints up to date is critical in closing existing vulnerabilities, but planning, monitoring, and reporting on update compliance can take IT resources away from other important tasks. Windows Autopatch provides enterprise-level organizations with a cloud-native approach to updating the OS, an integral tool for reducing your attack surface by driving up patch compliance rates.
Windows Autopatch simplifies update management with automated quality, security and feature updates for Windows devices, Microsoft 365 apps, Teams, and Edge. By leveraging Windows Autopatch to simplify your endpoint management, you can secure your endpoints with timely update deployments while at the same time giving your IT team more time to focus on high-value contributions to the business, and while maximizing the value from your Windows Enterprise subscription.
Windows Autopatch simplifies update management with automated quality, security and feature updates for Windows devices, Microsoft 365 apps, Teams, and Edge. By leveraging Windows Autopatch to simplify your endpoint management, you can secure your endpoints with timely update deployments while at the same time giving your IT team more time to focus on high-value contributions to the business, and while maximizing the value from your Windows Enterprise subscription.
Windows Autopatch configures Windows Update for Business policies and deployment services, ensuring up-to-date endpoints and detailed compliance reports for IT admins. Administrators can customize these configurations to align with their organization's structure, allowing tailored deployment schedules and content for different device populations. Ultimately, automating the update management process enhances security and operational efficiency by ensuring that endpoints remain current while providing detailed compliance reports to IT admins.
Windows Autopatch configures Windows Update for Business policies and deployment services, ensuring up-to-date endpoints and detailed compliance reports for IT admins. Administrators can customize these configurations to align with their organization's structure, allowing tailored deployment schedules and content for different device populations. Ultimately, automating the update management process enhances security and operational efficiency by ensuring that endpoints remain current while providing detailed compliance reports to IT admins.
Explore more about Windows Autopatch through [Forrester study](https://aka.ms/AutopatchProductivity) commissioned by Microsoft, regular updates on the [IT pro blogs](https://aka.ms/MoreAboutAutopatch) , and [Windows Autopatch community](https://aka.ms/AutopatchCommunity) resources offering insights and support.
Explore more about Windows Autopatch through [Forrester study](https://aka.ms/AutopatchProductivity) commissioned by Microsoft, regular updates on the [IT pro blogs](https://aka.ms/MoreAboutAutopatch) , and [Windows Autopatch community](https://aka.ms/AutopatchCommunity) resources offering insights and support.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**

2
windows/security/book/cloud-services.md
View File

@ -2,7 +2,7 @@
title: Cloud services
description: Windows 11 security book - Cloud services chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Cloud services

2
windows/security/book/conclusion.md
View File

@ -2,7 +2,7 @@
title: Conclusion
description: Conclusion
ms.topic: overview
ms.date: 06/17/2024
ms.date: 09/06/2024
---
# Conclusion

2
windows/security/book/features-index.md
View File

@ -2,7 +2,7 @@
title: Features index
description: Windows security book features index.
ms.topic: overview
ms.date: 07/26/2024
ms.date: 09/06/2024
---
# Features index

2
windows/security/book/hardware-security-hardware-root-of-trust.md
View File

@ -2,7 +2,7 @@
title: Hardware root-of-trust
description: Windows 11 security book - Hardware root-of-trust.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Hardware root-of-trust

2
windows/security/book/hardware-security-silicon-assisted-security.md
View File

@ -2,7 +2,7 @@
title: Silicon assisted security
description: Windows 11 security book - Silicon assisted security.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Silicon assisted security

2
windows/security/book/hardware-security.md
View File

@ -2,7 +2,7 @@
title: Hardware security
description: Windows 11 security book - Hardware security chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Hardware security

2
windows/security/book/identity-protection-advanced-credential-protection.md
View File

@ -2,7 +2,7 @@
title: Identity protection - Advanced credential protection
description: Windows 11 security book -Identity protection chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Advanced credential protection

2
windows/security/book/identity-protection-passwordless-sign-in.md
View File

@ -2,7 +2,7 @@
title: Identity protection - Passwordless sign-in
description: Windows 11 security book -Identity protection chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Passwordless sign-in

2
windows/security/book/identity-protection.md
View File

@ -2,7 +2,7 @@
title: Identity protection
description: Windows 11 security book -Identity protection chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Identity protection

2
windows/security/book/index.md
View File

@ -2,7 +2,7 @@
title: Windows security book introduction
description: Windows security book introduction
ms.topic: overview
ms.date: 06/17/2024
ms.date: 09/06/2024
---
# Windows 11 Security Book

2
windows/security/book/operating-system-security-encryption-and-data-protection.md
View File

@ -2,7 +2,7 @@
title: Operating System security
description: Windows 11 security book - Operating System security chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Encryption and data protection

16
windows/security/book/operating-system-security-network-security.md
View File

@ -2,7 +2,7 @@
title: Operating System security
description: Windows 11 security book - Operating System security chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Network security
@ -129,24 +129,24 @@ Signing is now required by default for all SMB outbound and inbound connections.
SMB NTLM blocking: The SMB client now supports blocking NTLM authentication for remote outbound connections. Blocking NTLM authentication prevents bad actors from tricking clients into sending NTLM requests to malicious servers, counteracting brute force, cracking, and pass-the-hash attacks. NTLM blocking is also required for switching an organization's authentication protocols to Kerberos, which is more secure than NTLM because it can verify server identities with its ticket system. You can also allow exceptions to allow NTLM authentication over SMB to specific servers only.
SMB authentication rate limiter: The SMB authentication rate limiter is a feature of SMB server designed to address brute force authentication attacks. Bruce force authentication attacks bombard the SMB server with multiple username and password-guesses and the frequency can range from dozens to thousands of attempts per second. The SMB authentication rate limiter is enabled by default with a 2 second delay between each failed NTLM or Local KDC Kerberos-based authentication attempt. An attack that sends 300 guesses per second for 5 minutes, for example - 90,000 password guess attempts - would now take 50 hours to complete, increasing the likelihood of detection and diminishing the likelihood of successful guessing.
SMB authentication rate limiter: The SMB authentication rate limiter is a feature of SMB server designed to address brute force authentication attacks. Bruce force authentication attacks bombard the SMB server with multiple username and password-guesses and the frequency can range from dozens to thousands of attempts per second. The SMB authentication rate limiter is enabled by default with a 2 second delay between each failed NTLM or Local KDC Kerberos-based authentication attempt. An attack that sends 300 guesses per second for 5 minutes, for example - 90,000 password guess attempts - would now take 50 hours to complete, increasing the likelihood of detection and diminishing the likelihood of successful guessing.
SMB insecure guest auth now off by default in Windows Pro editions: SMB insecure guest auth now off by default in Windows Pro editions: Windows 11 Pro no longer allows SMB client guest connections or guest fallback to an SMB server by default. This makes Windows 11 Pro operate like Windows 10 and Windows 11 Enterprise, Education, and Pro for Workstation editions have for years. Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that tricks a client into thinking it's a legitimate one. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't allowed the general use of guest in server scenarios since Windows 2000.
SMB over QUIC client access control: SMB over QUIC client access control enables you to restrict which clients can access SMB over QUIC servers. Client access control creates allow and blocklists for devices to connect to the file server. Client access control gives organizations more protection without changing the authentication used when making the SMB connection, nor does it alter the end user experience. SMB over QUIC is available in Windows Server 2022 Datacenter: Azure Edition and now also in Windows Server 2025 (all editions). The SMB over QUIC client can now also be completely disabled or configured only to allow connection to specific servers.
SMB encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption.
SMB over QUIC client access control: SMB over QUIC client access control enables you to restrict which clients can access SMB over QUIC servers. Client access control creates allow and blocklists for devices to connect to the file server. Client access control gives organizations more protection without changing the authentication used when making the SMB connection, nor does it alter the end user experience. SMB over QUIC is available in Windows Server 2022 Datacenter: Azure Edition and now also in Windows Server 2025 (all editions). The SMB over QUIC client can now also be completely disabled or configured only to allow connection to specific servers.
SMB encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption.
SMB dialect management: By default SMB server and client automatically negotiates the highest matched dialect from SMB 2.0.2 to 3.1.1. You can now specify the SMB protocols used, blocking older, less secure, versions from connecting to the server. For example, you can specify connection to only use SMB 3.1.1, the most secure dialect of the protocol. The minimum and maximum can be set independently on both the SMB client and server, and you can set just a minimum if desired.
SMB dialect management: By default SMB server and client automatically negotiates the highest matched dialect from SMB 2.0.2 to 3.1.1. You can now specify the SMB protocols used, blocking older, less secure, versions from connecting to the server. For example, you can specify connection to only use SMB 3.1.1, the most secure dialect of the protocol. The minimum and maximum can be set independently on both the SMB client and server, and you can set just a minimum if desired.
SMB client encryption mandate now supported: The SMB client now supports requiring encryption of all outbound SMB connections. Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing, which allows both client and server requirements. When enabled, the SMB client won't connect to an SMB server that doesn't support SMB 3.0 or later, or that doesn't support SMB encryption. For example, a third-party SMB server might support SMB 3.0 but not SMB encryption. Unlike SMB signing, encryption is not required by default.
SMB client encryption mandate now supported: The SMB client now supports requiring encryption of all outbound SMB connections. Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing, which allows both client and server requirements. When enabled, the SMB client won't connect to an SMB server that doesn't support SMB 3.0 or later, or that doesn't support SMB encryption. For example, a third-party SMB server might support SMB 3.0 but not SMB encryption. Unlike SMB signing, encryption is not required by default.
Remote Mailslots are now deprecated and disabled by default for SMB and DCLocator usage with Active Directory. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS.
Remote Mailslots are now deprecated and disabled by default for SMB and DCLocator usage with Active Directory. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS.
SMB alternative ports: You can use the SMB client to connect to alternative IANA/IETF TCP, QUIC, and RDMA ports than their defaults of 445, 5445, and 443. You can only connect to alternative ports if the SMB server is configured to support listening on that port. You can also configure your deployment to block configuring alternative ports or specify that ports can only connect to certain servers. In the case of Windows Server, only SMB over QUIC on Windows Server 2025 can be configured to listen on an alternative port.
SMB Firewall changes: The built-in firewall rules doesn't contain the SMB NetBIOS ports anymore.If you need to use an SMB1 server for legacy compatibility reasons, you must manually reconfigure the firewall to open those portsThis change brings SMB firewall rules more in line with the standard behavior for the Windows Server File Server role. Administrators can reconfigure the rules to restore the legacy ports.
SMB auditing improvements: SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.
SMB auditing improvements: SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.

2
windows/security/book/operating-system-security-system-security.md
View File

@ -2,7 +2,7 @@
title: Operating System security
description: Windows 11 security book - Operating System security chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# System security

2
windows/security/book/operating-system-security-virus-and-threat-protection.md
View File

@ -2,7 +2,7 @@
title: Operating System security
description: Windows 11 security book - Operating System security chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Virus and threat protection

2
windows/security/book/operating-system-security.md
View File

@ -2,7 +2,7 @@
title: Operating System security
description: Windows 11 security book - Operating System security chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Operating System security

2
windows/security/book/privacy-controls.md
View File

@ -2,7 +2,7 @@
title: Privacy
description: Windows 11 security book - Privacy chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Privacy controls

2
windows/security/book/privacy.md
View File

@ -2,7 +2,7 @@
title: Privacy
description: Windows 11 security book - Privacy chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Privacy

2
windows/security/book/security-foundation-certification.md
View File

@ -2,7 +2,7 @@
title: Security foundation
description: Windows 11 security book - Security foundation chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Certification

2
windows/security/book/security-foundation-offensive-research.md
View File

@ -2,7 +2,7 @@
title: Security foundation
description: Windows 11 security book - Security foundation chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Offensive research

2
windows/security/book/security-foundation-secure-supply-chain.md
View File

@ -2,7 +2,7 @@
title: Secure supply chain
description: Windows 11 security book - Security foundation chapter - Secure supply chain.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Secure supply chain

2
windows/security/book/security-foundation.md
View File

@ -2,7 +2,7 @@
title: Security foundation
description: Windows 11 security book - Security foundation chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Security foundation